From c06e1bd64ba2f423911fab57cb17dbaa55ab4395 Mon Sep 17 00:00:00 2001 From: Christos Choutouridis Date: Sun, 11 Jan 2026 18:38:08 +0200 Subject: [PATCH] Fix plain text in user authendication. --- .../db/init/01-create-pwd_mgr-db-withData.sql | 2 +- passman-dev/php/passman/login.php | 51 ++++++++++--------- 2 files changed, 29 insertions(+), 24 deletions(-) diff --git a/passman-dev/db/init/01-create-pwd_mgr-db-withData.sql b/passman-dev/db/init/01-create-pwd_mgr-db-withData.sql index b39eb98..31207d5 100644 --- a/passman-dev/db/init/01-create-pwd_mgr-db-withData.sql +++ b/passman-dev/db/init/01-create-pwd_mgr-db-withData.sql @@ -31,7 +31,7 @@ CREATE TABLE IF NOT EXISTS `login_users` ( ) ENGINE=InnoDB AUTO_INCREMENT=4 DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci; INSERT INTO `login_users` (`id`, `username`, `password`) VALUES - (1, 'u1', 'p1'); + (1, 'u1', '$2y$10$L18u5/PyVkDgsce/DsUOQu0sKhTzh854Euhog3cVb1W4YAfgRzY8W'); /* php -r 'echo password_hash("p1", PASSWORD_DEFAULT), PHP_EOL;' */ CREATE TABLE IF NOT EXISTS `notes` ( `notesid` int(11) NOT NULL AUTO_INCREMENT, diff --git a/passman-dev/php/passman/login.php b/passman-dev/php/passman/login.php index 08a3f7d..ea54758 100644 --- a/passman-dev/php/passman/login.php +++ b/passman-dev/php/passman/login.php @@ -26,46 +26,51 @@ if ($_SERVER["REQUEST_METHOD"] === "POST") { // } require_once __DIR__ . "/config.php"; - // SQL injection mitigation: use a prepared statement with bound parameters. - // User input is treated strictly as data, not as part of the SQL syntax. - $stmt = $conn->prepare("SELECT id FROM login_users WHERE username = ? AND password = ?"); - + // Authentication with hashed passwords: + // 1) Fetch the stored hash by username + // SQL injection mitigation: use a prepared statement with bound parameters. + // User input is treated strictly as data, not as part of the SQL syntax. + // 2) Verify the submitted password with password_verify() + $stmt = $conn->prepare("SELECT id, password FROM login_users WHERE username = ?"); if ($stmt === false) { // Fail closed (do not leak details in production). die("Prepare failed."); } - $stmt->bind_param("ss", $username, $password); + $stmt->bind_param("s", $username); $stmt->execute(); - $stmt->store_result(); // Needed to use $stmt->num_rows + + $result = $stmt->get_result(); // Requires mysqlnd (usually enabled) unset($_POST['username']); unset($_POST['password']); - if ($stmt->num_rows >= 1) { - // Regenerate session ID to prevent session fixation! - //session_regenerate_id(true); + if ($result && $result->num_rows === 1) { + $row = $result->fetch_assoc(); + $stored_hash = $row["password"]; - // Successfully logged in - $_SESSION['username'] = $username; - $_SESSION['loggedin'] = true; + // Verify password against the stored hash. + if (password_verify($password, $stored_hash)) { + // Regenerate session ID to prevent session fixation! + //session_regenerate_id(true); - //while ($row = $result -> fetch_assoc()) { - // print_r($row); - // $_SESSION['user_id'] = $row['id']; - //} + // Successfully logged in + $_SESSION['username'] = $username; + $_SESSION['loggedin'] = true; - // Close - $stmt->close(); - $conn -> close(); + $stmt->close(); + $conn->close(); - // Redirect to a dashboard page - header("Location: dashboard.php"); - exit; + header("Location: dashboard.php"); + exit; + } else { + $login_message = "Invalid username or password"; + } } else { $login_message = "Invalid username or password"; } + $stmt->close(); - $conn -> close(); + $conn->close(); } } ?>